NowSecure Mobile App Risk Intelligence (MARI) Safeguards Mobile App Ecosystems
Posted by Brendan HannMobile apps have become indispensable to modern businesses, yet they present significant risks when not properly secured. NowSecure benchmark data indicates that 85% of apps found in public app stores have security flaws and 70% have the potential to leak personal data.
NowSecure Mobile App Risk Intelligence (MARI) protects organizations by providing insight around pervasive mobile app risks that jeopardize businesses. By identifying pervasive security, safety and privacy risks in mobile apps from Google Play and the Apple App Store, the MARI solution empowers security, IT operations and Global Risk & Compliance (GRC) teams to make informed decisions about which third-party mobile apps to allow in their mobile ecosystems.
Gain Awareness About Pervasive Risks
Identifying and managing security, safety and privacy risks is critical for safeguarding sensitive data and ensuring compliance with industry regulations.
NowSecure frequently observes common, pervasive mobile app risks that lead to failures during automated mobile application security testing assessments, ADA Mobile Application Security Assessments (MASA) validations and mobile Mobile App Pen Testing as a Service engagements.
For example, NowSecure expert pen testers frequently encounter some of the same mobile app security and privacy issues across Android apps:
- 75% of apps have misconfigured cryptographic libraries and often leave sensitive data unprotected.
- 85% of apps have vulnerabilities stemming from integrated SDKs, which can expose apps to third-party risks.
- 80% of apps improperly prepare code for release, introducing bugs and vulnerabilities that compromise security post-launch.
While these results underscore the importance of thoroughly and continuously testing mobile apps, they also present risk to individuals who use those mobile apps. An employee using an app that incorrectly encrypts data exposes the organization to real risks such as credential harvesting and stuffing attacks.
In addition to the risks identified during expert pen testing, NowSecure Platform automated assessments uncover several recurring, impactful vulnerabilities. In 16% to 30% of assessments, we identify the following findings:
- SSL Configuration Allows Insecure Connections: Improper SSL configurations expose apps to man-in-the-middle attacks.
- Debuggable WebViews Found in Code: This can allow attackers to access sensitive data or perform malicious actions.
- Initialization Vector Reused for Encryption: Reusing encryption vectors reduces the effectiveness of encryption, making it easier for attackers to decrypt sensitive information.
- Hardcoded Cryptographic Keys: Hardcoded keys can be easily extracted, allowing unauthorized access to encrypted data.
- Insecure Symmetric Encryption Modes: Poor encryption practices make it easier for attackers to decipher communications and data.
These findings highlight areas where development and security teams must focus their efforts in building secure mobile applications. It also demonstrates some of the potential risks to individuals using these apps.
MARI empowers security, IT operations and GRC teams to make informed decisions about which third-party mobile apps to allow in their mobile ecosystems.
Pervasive risks are also persistent risks! After identifying these risks, mobile DevSecOps teams frequently encounter obstacles in fully remediating them. Persistent risks require special attention to remediate, leaving mobile apps and users vulnerable to attacks. Some of the most persistent issues NowSecure Platform automated mobile application security testing and expert PTaaS identifies include:
- Context Registered Broadcast Receivers Not Protected with Permissions: This issue leaves apps vulnerable to unauthorized actions from other apps.
- Debuggable WebViews Found in Code: While often overlooked, this can remain an ongoing issue even after developers believe it has been addressed.
- Insecure Implementation of WebView SSL Error Handling: Improper error handling can allow attackers to intercept communications.
- Hardcoded Cryptographic Keys: Even when flagged, removing or properly handling hardcoded keys is a complex task.
- App Vulnerability to Strandhogg: This vulnerability allows malicious apps to pose as legitimate ones, creating a serious risk to users and data.
Addressing these challenges requires a robust and consistent approach to mobile app risk management. That requires building and managing a safe mobile app ecosystem for employees and partners to use. NowSecure is uniquely positioned to provide the intelligence needed to remove pervasive mobile app risks from the apps you build and to make more informed decisions about the apps to allow in your ecosystem.
Monitor Apps with MARI
NowSecure MARI offers a comprehensive solution for identifying security, safety and privacy risks in apps. It empowers security, IT operations and GRC teams to proactively manage third-party risk by providing:
- Comprehensive third-party app risk data: Gain visibility into the security risks associated with apps used within your organization.
- Security, compliance, and privacy scores: Quickly assess the risk of an app based on a risk scoring system.
- Bulk risk intelligence for MDMs, SOCs and GRC platforms: Quickly retrieve detailed security, compliance and privacy risk data for apps across your existing systems, streamlining the approach to managing mobile app security risks.
By leveraging the insights and intelligence provided by NowSecue MARI, organizations can achieve the following benefits:
- Reduce business risk
- Adapt quickly to security breaches or advisories
- Ensure or maintain compliance
- Accelerate onboarding
- Benchmark across industries
Contact us today to schedule a demo and learn how MARI can safeguard sensitive data across mobile app ecosystems and protect your organization from security threats.
Mobile Risk Tracker
New NowSecure MobileRiskTracker™ – A Game Changer with Live Industry AppSec Scores